#!

###########################
# Firewall Settings Address
###########################
config firewall address
edit "host-mydomain1-albert.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server mydomain1-sg0e0"
set fqdn "albert.apple.com"
next
edit "host-mydomain1-ax.itunes.apple.com"
set type fqdn
set cache-ttl 1800
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set color 7
set fqdn "ax.itunes.apple.com"
next
edit "host-mydomain1-deimos3.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "deimos3.apple.com"
next
edit "host-mydomain1-download.windowsupdate.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "download.windowsupdate.com"
next
edit "host-mydomain1-gs.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "gs.apple.com"
next
edit "host-mydomain1-itunes.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "itunes.apple.com"
next
edit "host-mydomain1-metrics.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "metrics.apple.com"
next
edit "host-mydomain1-phobos.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "phobos.apple.com"
next
edit "host-mydomain1-phobos.apple.com.edgesuite.net"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "phobos.apple.com.edgesuite.net"
next
edit "host-mydomain1-swcdn.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swcdn.apple.com"
next
edit "host-mydomain1-swdownload.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swdownload.apple.com"
next
edit "host-mydomain1-swquery.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swquery.apple.com"
next
edit "host-mydomain1-swscan.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Mac OSx Update Server mydomain1-sg0e0"
set fqdn "swscan.apple.com"
next
edit "host-mydomain1-update.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "update.microsoft.com"
next
edit "host-mydomain1-appldnld.apple.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "ITunes Server / AppStore Server mydomain1-sg0e0"
set fqdn "appldnld.apple.com"
next
edit "host-mydomain1-www.msftncsi.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "www.msftncsi.com"
next
edit "host-mydomain1-windowsupdate.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "windowsupdate.microsoft.com"
next
edit "host-mydomain1-download.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "download.microsoft.com"
next
edit "host-mydomain1-test.stats.update.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "test.stats.update.microsoft.com"
next
edit "host-mydomain1-ntservicepack.microsoft.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "ntservicepack.microsoft.com"
next
edit "host-mydomain1-au.download.windowsupdate.com"
set type fqdn
set cache-ttl 1800
set color 7
set comment "Windows Update Server mydomain1-sg0e0"
set fqdn "au.download.windowsupdate.com"
end
###########################
# Firewall Settings Group 
###########################
config firewall addrgrp
edit "gr-mydomain1-apple-itunes-appstore-server"
set member "host-mydomain1-albert.apple.com" "host-mydomain1-appldnld.apple.com" "host-mydomain1-ax.itunes.apple.com" "host-mydomain1-deimos3.apple.com" "host-mydomain1-gs.apple.com" "host-mydomain1-itunes.apple.com" "host-mydomain1-metrics.apple.com" "host-mydomain1-phobos.apple.com" "host-mydomain1-phobos.apple.com.edgesuite.net"
set comment "Group itunes appstoare update server mydomain1-sg0e0"
set color 7
next
edit "gr-mydomain1-mac-osx-update-server"
set member "host-mydomain1-swcdn.apple.com" "host-mydomain1-swdownload.apple.com" "host-mydomain1-swquery.apple.com" "host-mydomain1-swscan.apple.com"
set comment "Group mac os x update server mydomain1-sg0e0"
set color 7
next
edit "gr-mydomain1-fw-interface"
set member "fw-interface-mydomain1-1.1.1.1-32" "fw-interface-mydomain1-198.18.0.1-32" "fw-interface-mydomain1-198.18.2.1-32" "fw-interface-mydomain1-198.18.2.129-32"
set comment "Firewall interface ip mydomain1-sg0e0"
set color 1
next
edit "gr-mydomain1-windows-update-server"
set member "host-mydomain1-au.download.windowsupdate.com" "host-mydomain1-download.microsoft.com" "host-mydomain1-download.windowsupdate.com" "host-mydomain1-ntservicepack.microsoft.com" "host-mydomain1-test.stats.update.microsoft.com" "host-mydomain1-update.microsoft.com" "host-mydomain1-windowsupdate.microsoft.com" "host-mydomain1-www.msftncsi.com"
set comment "Group windows update server mydomain1-sg0e0"
set color 7
next
end
###########################
# Firewall Settings Deep-Inspection / SSL-SSH-Profile
###########################
config firewall deep-inspection-options
edit mydomain1-default.local
set comment "Encrypted default profile mydomain1.ch"
config ssl
set inspect-all disable
set allow-invalid-server-cert enable
set ssl-ca-list disable
end
config https
set ports 443
set status enable 
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config ftps
set ports 990
set status disable
set client-cert-request bypass 
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config imaps
set ports 993
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config pop3s
set ports 995
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
config smtps
set ports 465
set status disable
set client-cert-request inspect
set unsupported-ssl bypass 
set allow-invalid-server-cert enable 
set ssl-ca-list disable 
end
set caname Fortinet_CA_SSLProxy 
set certname Fortinet_CA_SSLProxy 
set extended-utm-log enable
set ssl-invalid-server-cert-log enable
end
###########################
# Firewall Settings Protocol Options
###########################
config firewall profile-protocol-options
edit "mydomain1-default.local"
set comment "Unencrypted default profile mydomain1.ch"
set extended-utm-log enable
set oversize-log enable
set switching-protocols-log enable
config http
set ports 80
set options clientcomfort
unset post-lang
end
config ftp
set ports 21
set options clientcomfort
end
config imap
set ports 143
set options fragmail
end
config mapi
set ports 135
set status disable
set options fragmail
end
config pop3
set ports 110
set options fragmail
end
config smtp
set ports 25
set options fragmail
end
config nntp
set ports 119
set status disable
unset options
end
config im
set status disable
unset options
end
config dns
set status enable
set ports 53
end
next
end
###########################
# Firewall DDoS Policy
###########################
config firewall DoS-policy
edit 1
set interface wan1
set srcaddr all
set dstaddr all
set service ALL
config anomaly
edit "tcp_syn_flood"
set status enable
set action block
set threshold 2000
next
edit "tcp_port_scan"
set status enable
set threshold 1000
next
edit "tcp_src_session"
set status enable
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set threshold 5000
next
edit "udp_flood"
set status enable
set action block
set threshold 2000
next
edit "udp_scan"
set status enable
set threshold 2000
next
edit "udp_src_session"
set status enable
set threshold 5000
next
edit "udp_dst_session"
set status enable
set threshold 5000
next
edit "icmp_flood"
set status enable
set action block
set threshold 250
next
edit "icmp_sweep"
set status enable
set threshold 100
next
edit "icmp_src_session"
set status enable
set threshold 300
next
edit "icmp_dst_session"
set status enable
set threshold 1000
next
edit "ip_src_session"
set threshold 5000
next
edit "ip_dst_session"
set threshold 5000
next
edit "sctp_flood"
set threshold 2000
next
edit "sctp_scan"
set threshold 1000
next
edit "sctp_src_session"
set threshold 5000
next
edit "sctp_dst_session"
set threshold 5000
next
end
next
end
###########################
# Firewall Traffic Shaper
###########################
config firewall shaper traffic-shaper
edit "mydomain1-high-priority.local"
set maximum-bandwidth 1048576
set per-policy enable
set priority high
next
edit "mydomain1-medium-priority.local"
set maximum-bandwidth 1048576
set per-policy enable
set priority medium
next
edit "mydomain1-low-priority.local"
set maximum-bandwidth 1048576
set per-policy enable
set priority low
next
edit "mydomain1-guarantee-100kbps.local"
set guaranteed-bandwidth 100
set maximum-bandwidth 1048576
set per-policy enable
next
edit "mydomain1-shared-1M-pipe.local"
set maximum-bandwidth 1024
next
end